[kiskav]

Does any has idea about the Fakespypro Gang ? Hope, they too will have a big history like Dogma Millions.

Some of the Variants of Fakespypro Noticed till date are - Antivirus system pro, Antivirus solution pro, Antivir solution pro, Security Suite, Antivirus IS ...... This list keeps Going..
Note: i dont remember all other clones of the same. Below is the GUI of one of its variant.



Recently, By sept 11- A huge outbreak occured. Most of the US Users got their pc infected with the rogueware "Security Suite". Does any has idea on how these Creators manage to create a bigger impact..?

I do aware of the Generic answers like, "Crack sites, Social networking sites, Porn sites Spreads this." <------ Apart from this generic answer, does any has a specific track on this gang ?

Note: Sept 16, These creator changed the Rogueware "Security Suite" to "Antivirus IS". If any has the sample of "Antivirus IS", Please share the sample as well.

Thanks & Regards,
Kiskav

[EP_X0FF]

Recently, By sept 11- A huge outbreak occured. Most of the US Users got their pc infected with the rogueware "Security Suite". Does any has idea on how these Creators manage to create a bigger impact..?

Adobe Reader/Flash zero days? :)

[kiskav]

Hi Ep,

Thanks for your reply. On what i read & saw, The Adobe exploit dropped the files csrss.exe & sendEmail.dll, Registers it & forwards a link to the contacts owned by the infected user.

I've also seen the same by nullptr sample. So, Adobe Exploit should not be affiliated with this FakeSpypro Outbreak.. Marketing Executives of This infection has the nature of hosting an add in a legitimate site & spreads the dropper through the same.. Not sure, whether they follow the same methodology or something new..

The below snapshot is an appology post from a Legitimate site(Gizmodo) Editor. The very first variant of Fakespypro manged to fool sites & hosted their Malware.



Does any has new news like the one above which speaks about the Techniques followed by the latest variants (Security Suite or Antivirus IS ??

[EP_X0FF]

Desktop Security 2010

http://www.virustotal.com/file-scan/rep ... 1286426148

Runs from C:\Documents and Settings\UserName\Application Data\Desktop Security\

Unpacked size is about 20 Mb.

GUI


Warnings


Payme


Removal is simple.

[NOP]

^^ The same as this:

http://blog.novirusthanks.org/2010/10/f ... udio-2010/

[PX5]

Maybe one of the mods can sort where this belongs, it will do something very similar to this...

http://www.threatexpert.com/report.aspx ... 67b997acac

Which has my pal Sirefef in the package, I dont think the fake crap is all that new but this should be a newish version of Sirefef atleast.

No testing done yet, so no idea if there is anything to toot a horn about, will be interested to see.

http://www.virustotal.com/file-scan/rep ... 1288065542

VT appears to be getting hammered, so unable to fresh scan the dropper.

[wealllbe20]

ThinkPoint

Another Fake AV.

Installed via a java exploit on java version 1.5.18

disables taskmanager

Had to actually go into settings in the fake av program and disable autostart virus scanner

Then was able to goto start->run->type in command

and from command prompt told user to run: taskkill /im hotfix.exe /f

Afterwards was able to run taskmanager


Also created which appeared to be a random named batch file on the desktop and mstsc.exe on the desktop(same pe name as remote desktop)

if batch script was to run it would run the mstsc file and delete it and then delete batch script itself.


http://www.virustotal.com/file-scan/rep ... 288188708# 8/14

[EP_X0FF]

Another Fake AV.

That's the same MSE-alike fake av ThinkPoint. Written on Delphi + UPX.

This build was kinda buggy on my machine - it was unable write itself correctly in registry and died after reboot.

http://www.kernelmode.info/forum/viewto ... 3186#p3186

[EP_X0FF]

AV Defender 2011

Written on Delphi, passed through cryptor.

Copies itself (XP) to Documents and Settings\UserName\Application Data\RandomName\RandomName.exe

Annoying pop-ups, tons of fake detections included.

http://www.virustotal.com/file-scan/rep ... 1288715752

Autostart through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.

GUI

[LeastPrivilege]

AV Defender 2011 has been in the wild for over 2 months.